Posts

SUMMARY

NCCIC/ICS-CERT is aware of a public report of an SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting Navis WebAccess application. This report was released by “bRpsd” without coordination with either the vendor or ICS-CERT. ICS-CERT has reached out to the affected vendor to validate the report. ICS-CERT is issuing this alert to provide notice of the report and to identify baseline mitigations for reducing risks to this and other cybersecurity attacks.

The report included vulnerability details and PoC exploit code for the following vulnerability:

Vulnerability Type

Remotely Exploitable

Impact

SQL Injection

Yes

Application does not properly sanitize input that may allow a remote attacker to read and modify data in the SQL database.

The affected product, WebAccess, is a web-based application that provides the operator and its constituents with real-time, online access to operational logistics information. The WebAccess application is deployed across the Transportation sector. It is estimated that these products are used worldwide.

FOLLOW-UP

ICS-CERT released a follow-up advisory ICSA-16-231-01 Navis WebAccess SQL Injection Vulnerability to the ICS-CERT Web site on August 18, 2016.

MITIGATION

ICS-CERT is currently reaching out to the vendor to identify mitigations.

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize the potential damage of a successful SQL injection attack by minimizing the privileges assigned to every database account to only what is necessary.

Minimize network exposure for all systems supporting control systems, and ensure that they are not accessible from the Internet.

Locate systems and devices supporting control system networks behind firewalls, and isolate them from the business network.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

In addition, additional details about mitigating SQL injections can be found in the following publications:

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Systems Affected

All Symantec and Norton branded antivirus products

Overview

Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.

Description

The vulnerabilities are listed below:

CVE-2016-2207

CVE-2016-2208

Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. The vulnerability can be triggered remotely using a malicious file (via email or link) with no user interaction. [2]

Impact

The large number of products affected (24 products), across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event. A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities. Some of the vulnerabilities require no user interaction and are network-aware, which could result in a wormable-event.

Solution

Symantec has provided patches or hotfixes to these vulnerabilities in their SYM16-008 [9] and SYM16-010 [10] security advisories.

US-CERT encourages users and network administrators to patch Symantec or Norton antivirus products immediately. While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target.

Revisions

SUMMARY

NCCIC/ICS-CERT is aware of a public report of three vulnerabilities affecting the Sierra Wireless AirLink Raven XE and XT gateways. According to this report, the affected products allow unauthenticated access to directories on the system, which may allow remote file upload, download, and system reboot. According to this report, the affected products also contain a cross-site request forgery vulnerability that may make it possible for an attacker to trick a user into making an unintentional request to a web server, which is treated as an authenticated request, by accessing a malicious URL or downloading a malicious file. In addition, the public report indicates that the affected devices are vulnerable to credential sniffing, which could be used to log into the system.

The public report was released after the independent researcher, Karn Ganeshen, collaborated with the affected vendor to validate the vulnerabilities and identify mitigation procedures.

ICS-CERT has contacted the affected vendor, and the vendor has validated the reported vulnerabilities. ICS-CERT is issuing this alert to provide notice of the public report and to identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The report included vulnerability details for the following vulnerabilities:

Vulnerability Type

Remotely Exploitable

Impact

Unauthenticated access/Arbitrary file upload

Yes

Remote arbitrary file upload, download, and system reboot

Cross-site request forgery

Yes

Possible for an attacker to trick a user into making an unintentional request to a web server

Vulnerable to credential sniffing

Yes

Sniffed credentials could be used to log into the system

The Sierra Wireless Raven XE and XT wireless gateways are used in the following industries and applications: utilities, manufacturing, automation, oil and gas, Ethernet-based SCADA, and telemetry.

Sierra Wireless announced in March 2016 that they were going to discontinue the sale of Raven XE and XT gateways on August 31, 2016; however, limited telephone support will be available until December 30, 2019.

MITIGATION

Sierra Wireless advises that the Raven XE and XT products are end of life and no new firmware releases will be made available. In order to mitigate the risks presented by the identified vulnerabilities and other security concerns, Sierra Wireless recommends that Raven XE and XT users follow best practices, which include the following:

To minimize the risk associated with nonrandom default passwords:

Change the default password on all equipment you purchase from any source.

Use firewall configuration options to disable user access on all nonessential interfaces, in particular the cellular WAN interface.

Take reasonable steps to physically secure local interfaces (e.g., Deploy in a lockbox or restricted access facility).

Do not enable the port forwarding feature to forward traffic to devices that operate unauthenticated or otherwise insecure network interfaces.

To minimize the risk associated with lack of anti-cross-site request forgery tokens in AceManager:

Do not operate AceManager from a client device that has simultaneous access to the Raven device and the public Internet, where most cross-site request forgery attacks are found.

To minimize the risk associated with sensitive information exposed via HTTP GET operations through the AceManager interface, and unauthenticated access to directories:

Disable AceManager access via the cellular WAN interface, particularly when the device is operating on public networks.

For additional information about these vulnerabilities or the recommendations provided, please contact Sierra Wireless’ security team at:

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

Locate control system networks and devices behind firewalls, and isolate them from the business network.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Systems Affected

Windows, OS X, Linux systems, and web browsers with WPAD enabled

Networks using unregistered or unreserved TLDs

Overview

Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the new generic top level domain (gTLD) program’s incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in domain name collisions with internal network naming schemes [2] [3]. Opportunistic domain registrants could abuse these collisions by configuring external proxies for network traffic and enabling man-in-the-middle (MitM) attacks across the Internet.

Description

WPAD is a protocol used to ensure all systems in an organization use the same web proxy configuration. Instead of individually modifying configurations on each device connected to a network, WPAD locates a proxy configuration file and applies the configuration automatically.

The use of WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. WPAD is supported but not enabled by default on Mac OS X and Linux-based operating systems, as well as Safari, Chrome, and Firefox browsers.

With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration [3]. These strings may be used by private or enterprise networks, and in certain circumstances, such as when a work computer is connected from a home or external network, WPAD DNS queries may be made in error to public DNS servers. Attackers may exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.

Impact

Leaked WPAD queries could result in domain name collisions with internal network naming schemes. If an attacker registers a domain to answer leaked WPAD queries and configures a valid proxy, there is potential to conduct man-in-the-middle (MitM) attacks across the Internet.

The WPAD vulnerability is significant to corporate assets such as laptops. In some cases, these assets are vulnerable even while at work, but observations indicate that most assets become vulnerable when used outside an internal network (e.g., home networks, public Wi-Fi networks).

The impact of other types of leaked DNS queries and connection attempts varies depending on the type of service and its configuration.

Solution

US-CERT encourages users and network administrators to implement the following recommendations to provide a more secure and efficient network infrastructure:

Consider disabling automatic proxy discovery/configuration in browsers and operating systems unless those systems will only be used on internal networks.

Consider using a registered and fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace.

Consider using an internal TLD that is under your control and restricted from registration with the new gTLD program. Note that there is no assurance that the current list of “Reserved Names” from the new gTLD Applicant Guidebook (AGB) will remain reserved with subsequent rounds of new gTLDs [5].

Systems Affected

Outdated or misconfigured SAP systems

Overview

At least 36 organizations worldwide are affected by an SAP vulnerability [1]. Security researchers from Onapsis discovered indicators of exploitation against these organizations’ SAP business applications.

The observed indicators relate to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems.

SAP Java platforms are the base technology stack for many SAP business applications and technical components, including:

SAP Enterprise Resource Planning (ERP),

SAP Product Lifecycle Management (PLM),

SAP Customer Relationship Management (CRM),

SAP Supply Chain Management (SCM),

SAP Supplier Relationship Management (SRM),

SAP NetWeaver Business Warehouse (BW),

SAP Business Intelligence (BI),

SAP NetWeaver Mobile Infrastructure (MI),

SAP Enterprise Portal (EP),

SAP Process Integration (PI),

SAP Exchange Infrastructure (XI),

SAP Solution Manager (SolMan),

SAP NetWeaver Development Infrastructure (NWDI),

SAP Central Process Scheduling (CPS),

SAP NetWeaver Composition Environment (CE),

SAP NetWeaver Enterprise Search,

SAP NetWeaver Identity Management (IdM), and

SAP Governance, Risk & Control 5.x (GRC).

The vulnerability resides on the SAP application layer, so it is independent of the operating system and database application that support the SAP system.

Impact

Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems.

Solution

In order to mitigate this vulnerability, US-CERT recommends users and administrators implement SAP Security Note 1445998 and disable the Invoker Servlet. For more mitigation details, please review the Onapsis threat report [1].

In addition, US-CERT encourages that users and administrators:

Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.

Analyze systems for malicious or excessive user authorizations.

Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

Monitor systems for suspicious user behavior, including both privileged and non-privileged users.

Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

Systems Affected

Overview

According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1]

Description

All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1]

The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2][3]

Impact

Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.

Solution

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page. [4]

References

Revisions

SUMMARY

This alert update is a follow-up to the NCCIC/ICS-CERT updated alert titled ICS-ALERT-16-099-01A Moxa NPort Device Vulnerabilities that was published April 20, 2016, on the ICS-CERT web page.

——— Begin Update B Part 1 of 2 ——–

ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. These vulnerabilities were reported by Reid Wightman of Digital Bonds Labs, who coordinated with the vendor but not with ICS-CERT.

ICS-CERT is issuing this updated alert to provide notice of the report and to identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The report included details about the vulnerabilities:

Vulnerability Type

Remotely Exploitable

Impact

Unauthenticated retrievable sensitive account information

Yes

Disclosure of sensitive information

Unauthenticated remote firmware update

Yes

Complete compromise of the affected system

Buffer overflow

Yes

Possible arbitrary remote code execution

Cross-site scripting

Yes

Web browser could execute malicious script

Cross-site request forgery

Yes

Unverified HTTP requests may allow attacker to trick user into making unintentional request

Moxa has confirmed that the following NPort devices are affected by the reported vulnerabilities:

Moxa NPort 5100 series,

Moxa NPort 5200 series,

Moxa NPort 5400 series,

Moxa NPort 5600 series,

Moxa NPort 5600-DT/DTL series,

Moxa NPort 5100A series,

Moxa NPort 5200A series,

Moxa NPort P5150A series,

Moxa NPort 5x50AI-M12 series,

Moxa NPort 6000 series, and

Moxa NPort 6110 series.

The publicly disclosed vulnerabilities in the Moxa NPort devices include unauthenticated retrievable sensitive account information, which may allow a remote attacker to gain administrator privileges on the affected systems. The firmware of the affected devices can be updated over the network without authenticating, which may allow a remote attacker to completely compromise the system. Exploitation of the buffer overflow vulnerability may allow an unauthenticated attacker to execute arbitrary code remotely. The cross-site scripting vulnerability may allow an authenticated party to insert malicious code into webpages allowing malicious code to be executed by a web browser. The cross-site request forgery vulnerability may allow an attacker to trick a user into executing unwanted actions on a web application to which the user has authenticated.

At this time, ICS-CERT is not aware of publicly available exploit code that exploits the identified vulnerabilities.

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the US, UK, India, Germany, France, China, Russia, and Brazil.

FOLLOW-UP

MITIGATION

Moxa is planning to release a new firmware version in late-August 2016 that will address the five reported vulnerabilities in all the affected NPort devices, except for the NPort 6110. Moxa has reported that the NPort 6110 device was discontinued in December 2008 and will not have patches released to address these vulnerabilities.

Moxa recommends that customers using the NPort 6110 should upgrade the affected device.

——— Begin Update B Part 2 of 2 ——–

Moxa also recommends disabling Ports 80/TCP (HTTP), 443/TCP (HTTPS), 22/TCP (SSH), and 23/TCP (TELNET). Moxa indicates that users should ensure that Ports 161/UDP, 4800/UDP, and 4900/TCP are only accessible by trusted systems and that restricting access to Ports 4800/UDP and 4900/TCP will impact remote systems administration.

——— End Update B Part 2 of 2 ——–

ICS-CERT recommends that users should:

Set up access control to affected devices to prevent any unauthorized access.

Isolate affected systems from the Internet and all untrusted systems.

Locate control system networks and devices behind firewalls, and isolate them from the business network.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that VPN is only as secure as the connected devices.

ICS-CERT also provides a recommended practices section for control systems on the ICS-CERT web site (http://ics-cert.us-cert.gov). Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:

“Your computer has been infected with a virus. Click here to resolve the issue.”

“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”

“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.

In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.

Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

SUMMARY

On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine. In addition, there have also been reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors. Public reports indicate that the BlackEnergy (BE) malware was discovered on the companies’ computer networks, however it is important to note that the role of BE in this event remains unknown pending further technical analysis.

An interagency team comprised of representatives from the National Cybersecurity and Communications Integration Center (NCCIC)/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to Ukraine to collaborate and gain more insight. The Ukrainian government worked closely and openly with the U.S. team and shared information to help prevent future cyber-attacks.

This report provides an account of the events that took place based on interviews with company personnel. This report is being shared for situational awareness and network defense purposes. ICS-CERT strongly encourages organizations across all sectors to review and employ the mitigation strategies listed below.

Additional information on this incident including technical indicators can be found in the TLP GREEN alert (IR-ALERT-H-16-043-01P and subsequent updates) that was released to the US-CERT secure portal. US critical infrastructure asset owners and operators can request access to this information by emailing [email protected].

DETAILS

The following account of events is based on the interagency team’s interviews with operations and information technology staff and leadership at six Ukrainian organizations with first-hand experience of the event. Following these discussions and interviews, the team assesses that the outages experienced on December 23, 2015, were caused by external cyber-attackers. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.

Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers. While power has been restored, all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts

The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.

All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.

Each company also reported that they had been infected with BlackEnergy malware however we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.

MITIGATION

The first, most important step in cybersecurity is implementation of information resources management best practices. Key examples include: procurement and licensing of trusted hardware and software systems; knowing who and what is on your network through hardware and software asset management automation; on time patching of systems; and strategic technology refresh.

Organizations should develop and exercise contingency plans that allow for the safe operation or shutdown of operational processes in the event that their ICS is breached. These plans should include the assumption that the ICS is actively working counter to the safe operation of the process.

ICS-CERT recommends that asset owners take defensive measures by leveraging best practices to minimize the risk from similar malicious cyber activity.

Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by malicious actors. The static nature of some systems, such as database servers and HMI computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments.

Organizations should isolate ICS networks from any untrusted networks, especially the Internet. All unused ports should be locked down and all unused services turned off. If a defined business requirement or control function exists, only allow real-time connectivity to external networks. If one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path.a

Organizations should also limit Remote Access functionality wherever possible. Modems are especially insecure. Users should implement “monitoring only” access that is enforced by data diodes, and do not rely on “read only” access enforced by software configurations or permissions. Remote persistent vendor connections should not be allowed into the control network. Remote access should be operator controlled, time limited, and procedurally similar to “lock out, tag out.” The same remote access paths for vendor and employee connections can be used; however, double standards should not be allowed. Strong multi-factor authentication should be used if possible, avoiding schemes where both tokens are similar types and can be easily stolen (e.g., password and soft certificate).a

As in common networking environments, control system domains can be subject to a myriad of vulnerabilities that can provide malicious actors with a “backdoor” to gain unauthorized access. Often, backdoors are simple shortcomings in the architecture perimeter, or embedded capabilities that are forgotten, unnoticed, or simply disregarded. Malicious actors often do not require physical access to a domain to gain access to it and will usually leverage any discovered access functionality. Modern networks, especially those in the control systems arena, often have inherent capabilities that are deployed without sufficient security analysis and can provide access to malicious actors once they are discovered. These backdoors can be accidentally created in various places on the network, but it is the network perimeter that is of greatest concern.

When looking at network perimeter components, the modern IT architecture will have technologies to provide for robust remote access. These technologies often include firewalls, public facing services, and wireless access. Each technology will allow enhanced communications in and amongst affiliated networks and will often be a subsystem of a much larger and more complex information infrastructure. However, each of these components can (and often do) have associated security vulnerabilities that an adversary will try to detect and leverage. Interconnected networks are particularly attractive to a malicious actor, because a single point of compromise may provide extended access because of pre-existing trust established among interconnected resources.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Additional information on this incident including technical indicators can be found in the TLP GREEN alert (IR-ALERT-H-16-043-01P and subsequent updates) that was released to the US-CERT secure portal. US critical infrastructure asset owners and operators can request access to this information by emailing [email protected].

Systems Affected

Microsoft Windows

Overview

Dorkbot is a botnet used to steal online payment, participate in distributed denial-of-service (DDoS) attacks, and deliver other types of malware to victims’ computers. According to Microsoft, the family of malware used in this botnet “has infected more than one million personal computers in over 190 countries over the course of the past year.” The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and Microsoft, is releasing this Technical Alert to provide further information about Dorkbot.

Impact

A system infected with Dorkbot may be used to send spam, participate in DDoS attacks, or harvest users’ credentials for online services, including banking services.

Solution

Users are advised to take the following actions to remediate Dorkbot infections:

Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. Even though Dorkbot is designed to evade detection, security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of Dorkbot, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)

Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)

Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches for more information.)

Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (see example below) to help remove Dorkbot from their systems.

Disable Autorun­ – Dorkbot tries to use the Windows Autorun function to propagate via removable drives (e.g., USB flash drive). You can disable Autorun to stop the threat from spreading.